Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-93811

Anonymously accessible REST endpoints return 200 OK with  invalid user credentials

XMLWordPrintable

      Issue Summary

      This is reproducible on Data Center: (no)
      Anonymously accessible REST endpoints allow invalid user credentials to be used.

      According to documentation, 401 Unauthorized should be returned for any unauthenticated requests.

      Returned if the authentication credentials are incorrect or missing.

      However, if we pass invalid credentials, we get 200 OK response.

      curl -I --user foo:bar 'https://sitename.atlassian.net/rest/api/2/field'
HTTP/2 200 
content-type: application/json;charset=UTF-8

      This is counterintuitive and doesn't match the documentation.

      Some APIs that are not anonymous accessible:
      /rest/api/3/mypermissions
      /rest/api/3/project/search
      /rest/api/3/issue/bulkfetch
      /rest/api/3/issue/field

      Steps to Reproduce

      1. make a request to an anonymous accessible REST endpoint with invalid credentials

      Expected Results

      401 Unauthorized should be returned. According to documentation, when credentials are incorrect.

      Actual Results

      200 OK response is returned.

      Workaround

      Invalid credentials are treated as anonymous access. So, creadentials should be validated with an API endpoint that is not anonymous accessible. For example, /rest/api/2/myself.

            [JRACLOUD-93811] Anonymously accessible REST endpoints return 200 OK with  invalid user credentials

            There are no comments yet on this issue.

              Unassigned Unassigned
              2ed764d1efd7 Nashid Farhad
              Affected customers:
              5 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated: